Page MenuHomePhabricator

Security Review of Recommendation API - take #2
Closed, ResolvedPublic

Description

The Recommendation API service will soon enter production, so we would like the Security team to perform a review of the service. This is take #2; after the first review (T148133: Security review for Recommendation API) the service has been rewritten in NodeJS (using the service template) and greatly simplified.

Code: https://github.com/wikimedia/mediawiki-services-recommendation-api
Demo: deployment-sca0[1-4], port 9632 in the deployment-prep project

Details

Related Gerrit Patches:
mediawiki/services/recommendation-api : masterAdd source parameter validation

Event Timeline

mobrovac created this task.Jul 4 2017, 3:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 4 2017, 3:47 PM

@dpatrick Is is possible to get a rough estimate of when you'll be able to work on this? Thanks

@schana, I'm scheduling this to start this week and be completed within two weeks.

Thank you @dpatrick ! For guidance, the parts that are specific to this service are the translation routes and the underlying functionality.

So my only complaint would be, that it appears the source parameter is never validated. It should be checked that the value is sane (e.g. that it matches /^[a-zA-Z]+$/ ). Other than that, looks good.

I'm also not a fan of the way the swagger ui part works by running find and replace regexes over javascript, but its not exploitable as they are static files, and it doesn't have anything to do with this project because its part of the template

Change 366222 had a related patch set uploaded (by Nschaaf; owner: Nschaaf):
[mediawiki/services/recommendation-api@master] Add source parameter validation

https://gerrit.wikimedia.org/r/366222

schana moved this task from Backlog to Needs deployed on the User-schana board.
schana removed a project: Patch-For-Review.

Change 366222 merged by Mobrovac:
[mediawiki/services/recommendation-api@master] Add source parameter validation

https://gerrit.wikimedia.org/r/366222

schana closed this task as Resolved.Aug 2 2017, 5:09 PM
schana claimed this task.
schana removed a project: User-schana.

The source parameter validation has been merged and deployed.

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 6:32 PM